Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Identity Manager 8.1.4 - Authorization and Authentication Guide

About this guide One Identity Manager application roles Granting One Identity Manager schema permissions through permissions groups Managing permissions to program features One Identity Manager authentication modules OAuth 2.0 / OpenID Connect configuration Multi-factor authentication in One Identity Manager Granulated permissions for the SQL Server and database

Password reset

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authentication module is used for login to Password Reset Portal. The authentication module checks the access code or the employee’s answers to the password questions. In the case of login with an access code, this information is deleted after a successful login.

Credentials

Central user account and access code.

- OR -

Central user account and answers to the password questions.

- OR -

Target system user account and passcode.

- OR -

Target system user account and answers to password questions.

Prerequisites

  • The employee exists in the One Identity Manager database.
  • Using the central user account: The central user account is entered in the employee's master data.
  • Using the target system user account: The user account exists in the One Identity Manager database and the employee is entered in the master data of the employee’s user account.
  • The employee is not deactivated or has the certification status New.
  • The employee has an access code or the questions and answers for the password prompt have been specified.

Set as default

No

Single sign-on

No

Front-end login allowed

No

Web Portal login allowed

No

Remarks

The application token for Password Reset Portal must be specified. You set the application token when installing Password Reset Portal. The application token is saved as a hash value in the database in the QER | Person | PasswordResetAuthenticator | ApplicationToken parameter and stored encrypted in the web.config file. For detailed information about configuring Password Reset Portal, see the One Identity Manager Web Application Configuration Guide.

In the Designer, modify the following configuration parameters so that target system accounts can be used for logging in. If the configuration parameters are not set, the employee’s central user account is used.

Table 32: Configuration parameters for the authentication module
Configuration parameter Meaning

QER | Person | PasswordResetAuthenticator | SearchTable

This configuration parameter contains the table in the One Identity Manager schema in which user information is stored. The table must contain a foreign key with the name UID_Person, which points to the Person table.

Example: ADSAccount

QER | Person | PasswordResetAuthenticator | SearchColumn

This configuration parameter contains the column from the One Identity Manager table (SearchTable), which is used to search for user name of the current user.

Example: CN

QER | Person | PasswordResetAuthenticator | EnabledBy

This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager (SearchTable table), which enables user account login.

QER | Person | PasswordResetAuthenticator | DisabledBy

This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable), which disables user account login.

Example: AccountDisabled

Password reset (role-based)

NOTE: This authentication module is available if the Identity Management Base Module is installed.

The authentication module is used for login to Password Reset Portal. The authentication module checks the access code or the employee’s answers to the password questions. In the case of login with an access code, this information is deleted after a successful login.

Credentials

Central user account and access code.

- OR -

Central user account and answers to the password questions.

- OR -

Target system user account and passcode.

- OR -

Target system user account and answers to password questions.

Prerequisites

  • The employee exists in the One Identity Manager database.
  • Using the central user account: The central user account is entered in the employee's master data.
  • Using the target system user account: The user account exists in the One Identity Manager database and the employee is entered in the master data of the employee’s user account.
  • The employee is not deactivated or has the certification status New.
  • The employee has an access code or the questions and answers for the password prompt have been specified.
  • The employee is assigned at least one application role.

Set as default

Yes

Single sign-on

No

Front-end login allowed

No

Web Portal login allowed

No

Remarks

The application token for Password Reset Portal must be specified. You set the application token when installing Password Reset Portal. The application token is saved as a hash value in the database in the QER | Person | PasswordResetAuthenticator | ApplicationToken parameter and stored encrypted in the web.config file. For detailed information about configuring Password Reset Portal, see the One Identity Manager Web Application Configuration Guide.

A dynamic system user determined from the employee's application roles. The user interface and the write permissions are loaded through this system user.

In the Designer, modify the following configuration parameters so that target system accounts can be used for logging in. If the configuration parameters are not set, the employee’s central user account is used.

Table 33: Configuration parameters for the authentication module
Configuration parameter Meaning

QER | Person | PasswordResetAuthenticator | SearchTable

This configuration parameter contains the table in the One Identity Manager schema in which user information is stored. The table must contain a foreign key with the name UID_Person, which points to the Person table.

Example: ADSAccount

QER | Person | PasswordResetAuthenticator | SearchColumn

This configuration parameter contains the column from the One Identity Manager table (SearchTable), which is used to search for user name of the current user.

Example: CN

QER | Person | PasswordResetAuthenticator | EnabledBy

This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager (SearchTable table), which enables user account login.

QER | Person | PasswordResetAuthenticator | DisabledBy

This configuration parameter contains a pipe (|) delimited list of Boolean columns from the One Identity Manager table (SearchTable), which disables user account login.

Example: AccountDisabled

Editing authentication modules

Before you can use an authentication module for logging on, the following prerequisites must be fulfilled:

  1. The authentication module must be enabled.

  2. The authentication module must be assigned to the application.

  3. The assignment of the authentication module to the application must be enabled.

This allows you to log in to the assigned application using this authentication module. Ensure that users found through the authentication module also have the required program function to use the program.

Detailed information about this topic

Enabling authentication modules

To enable an authentication module

  1. In the Designer, select the Base data | Security settings | Authentication modules category.

  2. In the List Editor, select the authentication module.

  3. In the Properties view, set the Activated property to True.

  4. Save the changes.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating